Return-Path: 
 <infrastructure-dev-return-2112-apmail-infrastructure-dev-archive=apache.org@apache.org>
X-Original-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Delivered-To: apmail-infrastructure-dev-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 77D7DC706
	for <apmail-infrastructure-dev-archive@minotaur.apache.org>;
 Thu, 19 Jul 2012 18:23:31 +0000 (UTC)
Received: (qmail 45845 invoked by uid 500); 19 Jul 2012 18:23:31 -0000
Delivered-To: apmail-infrastructure-dev-archive@apache.org
Received: (qmail 45607 invoked by uid 500); 19 Jul 2012 18:23:30 -0000
Mailing-List: contact infrastructure-dev-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:infrastructure-dev-help@apache.org>
List-Unsubscribe: <mailto:infrastructure-dev-unsubscribe@apache.org>
List-Post: <mailto:infrastructure-dev@apache.org>
List-Id: <infrastructure-dev.apache.org>
Reply-To: infrastructure-dev@apache.org
Delivered-To: mailing list infrastructure-dev@apache.org
Received: (qmail 45594 invoked by uid 99); 19 Jul 2012 18:23:30 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jul 2012 18:23:30 +0000
X-ASF-Spam-Status: No, hits=1.7 required=10
	tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of omuppi1@gmail.com designates
 209.85.214.50 as permitted sender)
Received: from [209.85.214.50] (HELO mail-bk0-f50.google.com) (209.85.214.50)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 19 Jul 2012 18:23:26 +0000
Received: by bkwj5 with SMTP id j5so2742358bkw.23
        for <infrastructure-dev@apache.org>;
 Thu, 19 Jul 2012 11:23:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date
         :x-google-sender-auth:message-id:subject:to:cc:content-type;
        bh=blcYfsews7dAbEVx9F3cpV0jhngSpnqA4SJFgic2ysg=;
        b=QFgc/vWgLrw3AOzg6M0g2H1LU2C0+HGj+DfuYinuseFJaQ6YWPQ5oUN8/KX5poWFLO
         F8odBIJSLGkF3iDLHxcaI1pZJkITfsEWqMhaUgsKPzTD9cMDOoJesbi+9G8uJRWeGhWn
         TzlG9v1bIKKfE7qhZSe0/FTHBoTv/Ni9VHZDaN43h+6S4RVtP9Ua414G8gPegfwihdqz
         igqfuH4N9tJHPEaFJGP9K6ftRktaPNzl1ueSGUQnXBjFCmZUU0aQG0t8WS2U9v3Qitep
         aKvhAEh9fGtcLsyj0e/TOr4kH4Aa3YF7bSq1Tfe+YDEuPyt+sfSEgqbu4nZRsvao8VBC
         XXUw==
Received: by 10.152.102.137 with SMTP id fo9mr3201486lab.35.1342721844583;
 Thu, 19 Jul 2012 11:17:24 -0700 (PDT)
MIME-Version: 1.0
Sender: omuppi1@gmail.com
Received: by 10.112.82.73 with HTTP; Thu, 19 Jul 2012 11:16:52 -0700 (PDT)
In-Reply-To: 
 <A1000C92B9F95C4E8E2748502B10EC99156629B08A@TUS1XCHEVSPIN34.SYMC.SYMANTEC.COM>
References: <4ED7F6B3.10507@rowe-clan.net> <4EDCE916.9000105@rowe-clan.net>
 <14D026C7F297AD44AC82578DD818CDD029F1D268EC@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
 <A1000C92B9F95C4E8E2748502B10EC991500FBD71E@TUS1XCHEVSPIN34.SYMC.SYMANTEC.COM>
 <4EDD04C1.3020104@rowe-clan.net> <4FE8E722.5060708@rowe-clan.net>
 <4FE9D752.7020700@rowe-clan.net>
 <14D026C7F297AD44AC82578DD818CDD02AE53E5914@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
 <4FEB30AB.2080305@googlemail.com> <4FED025E.30705@rowe-clan.net>
 <5005E3B0.2060306@rowe-clan.net>
 <5BC528EA-63E6-441E-942D-4EFB481BCDA7@comcast.net>
 <A1000C92B9F95C4E8E2748502B10EC99156629B08A@TUS1XCHEVSPIN34.SYMC.SYMANTEC.COM>
From: Om <bigosmallm@gmail.com>
Date: Thu, 19 Jul 2012 11:16:52 -0700
X-Google-Sender-Auth: 1vLoz5JJBlpppZyZlsRBoIsMo4Y
Message-ID: 
 <CACK5iZfpHHbZhWgJvjOmOMCDAwe7=t-90muh8Wf2LpQ611pOXw@mail.gmail.com>
Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
To: infrastructure-dev@apache.org
Cc: Dave Fisher <dave2wave@comcast.net>,
 Dean Coclin <Dean_Coclin@symantec.com>,
	richard_hall@symantec.com
Content-Type: multipart/alternative; boundary=f46d0407160b941cbe04c532cac6
X-Virus-Checked: Checked by ClamAV on apache.org

--f46d0407160b941cbe04c532cac6
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 19, 2012 at 6:50 AM, Richard Hall <Richard_Hall@symantec.com>wr=
ote:

> Hi Dave,
>
> Our hosted signing service does not currently provide the ability to sign
> Air applications, but we do offer Code Signing certs for Adobe Air from o=
ur
> website:
>
> http://www.symantec.com/verisign/code-signing/adobe-air
>
> Would this work for you?  Please let us know if you have any questions.
>
> Thanks,
>
> Rich
>
>
Rich,

This would work perfectly fine for us.

Thanks,
Om
Apache Flex PPMC Member


> -----Original Message-----
> From: Dave Fisher [mailto:dave2wave@comcast.net]
> Sent: Wednesday, July 18, 2012 7:12 PM
> To: infrastructure-dev@apache.org
> Cc: Dean Coclin; Richard Hall
> Subject: Re: Proposed: Code (.jar/.msi/binaries) Signing Service Offer
>
>
> On Jul 17, 2012, at 3:14 PM, William A. Rowe Jr. wrote:
>
> > Richard, Dean, can you provide any insight? I just reviewed the infra-d=
ev
> > list history... if I missed your earlier reply I apologize in advance.
>
> Gentlemen,
>
> The Apache Flex podling would like to sign AIR applications as well:
>
>
> http://livedocs.adobe.com/flex/3/html/help.html?content=3Ddistributing_ap=
ps_4.html
>
> Thanks for your consideration,
> Dave
>
> >
> > Bill
> >
> > On 6/28/2012 6:18 PM, William A. Rowe Jr. wrote:
> >> Q's for Dean inline;
> >>
> >> On 6/27/2012 11:11 AM, J=FCrgen Schmidt wrote:
> >>>
> >>> sorry for jumping in but I hope that a short question is allowed.
> >>
> >> [Yes, that's why we launched the thread here for anyone interested in
> >> signing ASF binary objects.]
> >>
> >>> I am currently investigating in a reliable code signing process for
> >>> Apache OpenOffice (AOO) to become a good citizen in the Windows world
> >>> and especially the upcoming Windows 8.
> >>>
> >>> AOO is bigger and we have to sign a lot of *.dll and *.exe during the
> >>> build, package the files in an msi/setup etc., sign the final setup
> bits
> >>> and finally sign a downloadable self extracting exe.
> >>>
> >>> Because of the huge size and the many many files I believe that it
> makes
> >>> most sense to have a certificate on a dedicated build machine.
> >>
> >> Hi Jurgen; meaning no disrespect, that wouldn't be likely to happen in
> any
> >> case for reasons already spelled out on the list.  As I was designing
> the
> >> svn <-> signing service, I was actually laying it out that I myself
> would
> >> never have access to that key myself.
> >>
> >> On the other hand, I was designing it to unfold a .cab (or .msi), sign
> all
> >> the individual bits in that package, and refold it back into a .cab (a=
nd
> >> nested back into the .msi, which is then itself signed).  The same cou=
ld
> >> be true for a Java .jar (.zip) binaries collection.
> >>
> >>
> >> Dean, a few additional questions for you from these thoughts;
> >>
> >> Can the code signing service accept a rolled up .msi or .jar (.zip) an=
d
> >> sign multiple embedded bits?
> >>
> >> Is the logic out there for 'batching' a bunch of files together?
> >>
> >> In either case, will a single 'signing key' be used, or will each
> individual
> >> artifact be individually signed?
> >>
> >> Can .msi or .jar packages themselves be signed through the service?
> >>
> >> And finally, has anything changed in the past year about an
> organization having
> >> OU subordinate keys?  E.g. "O=3DApache Software Foundation,OU=3DApache=
 Open
> Office"
> >> individual or department keys?  Last I understood, only a single org
> code
> >> signing cert would be made available.  We have approx 12 RM's at the
> ASF today
> >> would would like to begin signing packages, if one key/cert can be tie=
d
> into one
> >> individual committer.  Or (in this case) can "O=3DApache Open Office" =
be
> its own
> >> signing key?
> >>
> >>> But anyway whatever process in the end is working and possible, I wou=
ld
> >>> like to ask if it is possible to get some kind of test certificate to
> >>> improve our testing.
> >>
> >> Or, perhaps test-integrate with the signing service, if it provides fo=
r
> batch
> >> submission?
> >>
> >>> My self signed certificate created with makecert is 1024 bit only and=
 I
> >>> have read that a code signing cert have to be at least 2024 bits. I
> >>> don't know if that makes a difference in the Windows 8 App
> Certification
> >>> Kit.
> >>
> >> First off, 1024 is not 21'st +10y friendly.  The minimum cert size for
> any
> >> reliable cryptography is 2048 bits today (measured as an RSA style key=
,
> >> obviously DSS/DH and ECC use different logic and different 'safe' key
> >> sizes).  If you believe the US NIST, 2048 is going to hold us till 203=
0,
> >> but I won't be holding my breath on that one :)
> >>
> >> Secondly, any pointers to local test signing certs for binaries and .m=
si
> >> packages on windows would be very helpful to me as well.
> >>
> >>> I think AOO with currently >6million downloads (since May 8th) can be=
 a
> >>> good promotion for Symantec when people notice where the certificate
> >>> comes from.
> >>
> >> +1 :)
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>

--f46d0407160b941cbe04c532cac6--